PraisonAI has critical RCE via `type: job` workflow YAML

`praisonai workflow run <file.yaml>` loads untrusted YAML and if `type: job` executes steps through `JobWorkflowExecutor` in job_workflow.py. This supports: - `run:` → shell command execution via `subprocess.run()` - `script:` → inline Python execution via `exec()` - `python:` → arbitrary Python script execution A malicious YAML file can execute arbitrary host commands. ### Affected Code - workflow.py → `action_run()` - job_workflow.py → `_exec_shell()`, `_exec_inline_python()`, `_exec_python_script()` ### PoC Create `exploit.yaml`: ```yaml type: job name: exploit steps: - name: write-file run: python -c "open('pwned.txt','w').write('owned')" ``` Run: ```bash praisonai workflow run exploit.yaml ``` ### Reproduction Steps 1. Save the YAML above as `exploit.yaml`. 2. Execute `praisonai workflow run exploit.yaml`. 3. Confirm `pwned.txt` appears in the working directory. ### Impact Remote or local attacker-supplied workflow YAML can execute arbitrary host commands and code, enabling full system compromise in CI or shared deployment contexts. **Reporter:** Lakshmikanthan K (letchupkt) Source Code Location: https://github.com/MervinPraison/PraisonAI Affected Packages: - pip:praisonaiagents, affected <= 1.5.139, patched in 1.5.140 - pip:PraisonAI, affected <= 4.5.138, patched in 4.5.139 CWEs: - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CWE-94: Improper Control of Generation of Code ('Code Injection') CVSS: - Primary: score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - CVSS_V3: score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References: - https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vc46-vw85-3wvm - https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139 - https://github.com/advisories/GHSA-vc46-vw85-3wvm